Upload
truongthu
View
246
Download
0
Embed Size (px)
Citation preview
CS TimeClock
Access Control Specification
Document Date: August 2013
Document Status: Version 1.2
Program Status:
Version 1. Implemented in CS TimeClocks version 1.15 and later.
Version 1.1. Implemented in CS TimeClocks version 1.16 and later.
Version 1.2. Implemented in CS TimeClocks version 2.04 and later.
© 2013 by CapeSoft Software
CS TimeClock Access Control Specification
2
Contents
1. Introduction .............................................................................................................................................. 3
2. Readers ..................................................................................................................................................... 3
3. Electronic Door Locks & Turnstiles ........................................................................................................... 3
4. Open-Door Feedback ................................................................................................................................ 4
5. Areas ......................................................................................................................................................... 4
6. Anti-Passback ............................................................................................................................................ 5
7.Pathing ....................................................................................................................................................... 6
8. Payroll Requirements ................................................................................................................................ 8
9. Access Rights ............................................................................................................................................. 9
10.Time Zones ............................................................................................................................................. 10
11. Locked Mode ......................................................................................................................................... 12
12. Errors ..................................................................................................................................................... 13
13. Adding a reader to a clock .................................................................................................................... 13
14. Relay Settings Table .............................................................................................................................. 15
15. Tables .................................................................................................................................................... 15
Document version history ........................................................................................................................... 16
Version 1.2. ............................................................................................................................................. 16
CS TimeClock Access Control Specification
3
1. Introduction
The CS TimeClock range of clocks have a number of functions available to you that are helpful in limiting
access to your premises. You are free to use as many, or as few, of these features as you like.
Note: To implement Access Control effectively you will need to either make use of the CS
TimeClock Web Interface, or external PC software. Access Control functionality cannot be
managed exclusively from the keypad.
This document covers information useful to the owner of the clock, as well as additional technical
information aimed at programmers accessing the clock remotely.
2. Readers
Your clock can be configured with 2 readers, or with a single reader. Many of the Access Control
features are only effective if the clock is configured with 2 readers. For large sites, with many clocks
and/or many employees dual readers will dramatically reduce the incidence of incorrect clockings. Extra
readers are available if your clock only has 1 reader.
Some of the Access Control features are only useful when you have more than 1 clock. However, even
with one clock some of the Access Control features are useful.
3. Electronic Door Locks & Turnstiles
Although the clock offers advanced access control functionality, the effectiveness of the access control
depends largely on the physical mechanisms used to manage the people flow through the door.
The most effective form of people flow are turnstiles. These are electronically controlled, and only allow
a single person through them at a time.
A less effective approach, but still a useful one, is to use a door with an electronic lock. A valid swipe is
required to open the door, however an unknown number of people can use the door while it is open.
CS TimeClocks have up to 3 relays capable of driving external devices.
Note: The number of external devices supported by the clock is dependent on the clock model.
If you plan to use external locks, or turnstiles, make sure you select an appropriate clock model.
CS TimeClock Access Control Specification
4
4. Open-Door Feedback
To prevent electronic doors from being propped open, a feedback mechanism has been built into the
clock. However this mechanism is not yet available for use.
Note: The number of doors that can be monitored by the clock is dependent on the clock model.
If you plan to monitor open doors, make sure you select an appropriate clock model.
5. Areas
The most fundamental concept around which all access control revolves is the concept of areas.
An area is a physical space bounded by one or more clocks. Even with a single clock there are always two
default areas defined (Inside, and Outside). As you add more clocks to your system it becomes possible
to divide Inside into two or more areas. As employees move from one area to another they may, or may
not, be required to clock.
Example: You have a clock on your main front door, and another on the cafeteria door. When
employees arrive for work they move into area “Office”. At lunch time they move from area
“Office” to area “Cafeteria”. They are now said to be IN the Cafeteria. After lunch they leave the
Cafeteria, and move back into the Office. At the end of the day they leave the Office and go
Outside.
If you are using access control then the first step you will need to do is draw a physical picture of your
site, and identify what distinct areas you wish to have. Remember that you need a clock at every
boundary between two areas. In our example above, if the cafeteria had 2 doors, then you would
require 2 clocks to form the boundary between the office and the cafeteria.
Don’t forget that “Outside” is always one area.
Once you have your diagram, you can assign an “In” area, and an “Out” area to each reader that you
have. While setting these the best questions to ask are “If the user swipes his card on this reader, which
area is he going in to? If he swipes his card on this reader which area is he leaving?”
If you have 2 readers on the clock, then each reader will have a firm answer to these questions. Not
surprisingly when you have 2 readers, the In and Out areas are usually opposite for the 2 readers.
If you only have 1 reader on the clock then the clock will “toggle” the direction, depending on the
employee’s current status. If he is already Out, then he’s coming In, if he’s already In, then he’s going
CS TimeClock Access Control Specification
5
Out, and so on. Please note that some access control functionality is restricted on clocks with only 1
reader, because the clock does not know for sure whether the employee is coming or going.
Tip: When talking about IN and OUT it’s easy to confuse this with the Payroll status of the
employee. However the payroll status is completely independent of areas, and should be
mentally ignored when setting up the IN and OUT area for the clock.
Advanced:
A clock with a single reader could be set to a specific direction, rather than to toggle. You would use this
on a door that only allows employees to flow in one direction, or where they are required to clock IN to
an area, but not OUT of it.
Equally, a clock with 2 readers can set BOTH readers to IN or both to OUT. In this case 1 clock can
control 2 “one way” doors.
6. Anti-Passback
To activate Anti-passback for the clock;
1. Set the Area Restriction (CA) for the readers to 1.
2. Set the IN area for the readers.
3. Set the OUT area for the readers.
4. Make sure the otherdev table on all clocks is up to date.
ERROR TEXT = “Already in TO area”
Anti-passback is usually used in situations where a turnstile exists. If you do not have a mechanical limit
on the entrance then turning this feature on in the clock does have much of a “real” effect.
Anti-passback can be a useful feature, even if you only have a single clock.
The goal of anti-passback is to prevent an employee passing his card to another person, who is outside,
while the employee is inside, thus allowing another person to enter on the same card.
CS TimeClock Access Control Specification
6
This feature only applies if the clock has 2 readers, an IN reader and an OUT reader. If the clock only has
1 reader, then the clock will automatically toggle the user’s direction so there’s no distinction between 2
people coming in, and 1 person coming in, and going out.
Each reader on the clock needs to have the IN area and OUT area for the reader set.
If the Reader is set as an IN reader, then the employee is always moving from OUT to IN when using the
reader. The rules for this reader therefore only apply when he is coming IN.
If the Reader is set as an OUT reader, then the employee is always moving from IN to OUT when using
the reader. The rules for this reader therefore only apply when he is going OUT.
If the Reader is set as a TOGGLE reader, then the rules apply the same in both directions.
To activate Anti-passback for the reader, set the Area Restriction (CA) for the reader to 1.
If the employee attempts to clock in, when they are already in, or out when they are already out, then
the error displayed will be Already in TO area. A clocking, type 52, will be created to log the attempt.
Programmers Note:
Tables:
Daughter:
ca1, ca2, ca3, caf1 is set to 1 for Anti-pass-back to be on.
in1, in2, in3, inf1 is the IN Area id for each reader on the clock.
out1, out2, out3, outf1 is the OUT Area id for each reader on the clock.
Area:
The Area table (id and description) should be populated with descriptions for
each area ID used in the daughter table
OtherDev:
If multiple clocks are used, then make sure the OtherDev table is populated
with the serial number, and IP address of the remote clocks.
7.Pathing
To activate Pathing for the reader;
CS TimeClock Access Control Specification
7
1. Set the Area Restriction (CA) for the reader to 2.
2. Set the IN area for the reader.
3. Set the OUT area for the reader
4. Make sure the otherdev table on all clocks is up to date.
ERROR TEXT = “Not in FROM area”
Note: A good understanding of Areas is necessary before configuring a system for Pathing.
Pathing is the same as Anti-passback except an extra requirement is added. If pathing is on, the Anti-
pass-back effect is on as well. With pathing an employee is REQUIRED to be in the IN area before they
can clock to the OUT area, or they must be in the OUT area before they can go to the IN area.
Tip: For Anti-Passback the rule is “the employee must be anywhere but there” whereas with pathing the
rule is “he has to be here to go there”. Thus pathing is a more restrictive form of anti-passback.
Pathing is typically used to enforce a “path” through the site for the employee to clock at.
If you have only one clock, then there is no practical difference between anti-passback and pathing.
For example;
An employee should clock in at the gate, cross the courtyard, then clock in to his building. When
leaving he has to clock out of his building, and then clock out at the gate. So there are 3 areas
involved, Outside, the Courtyard, and the Building. When he arrives he goes from the Outside
area into the Courtyard area. He then goes from the Courtyard area into the Building area. If he
now forgets to clock out of the building, he will NOT be allowed to go through the gate. Pathing
says he can only go through the gate if he is in the Courtyard. Since he forgot to clock out the
building, he is not in the Courtyard, and hence he will not be allowed through the gate. He will
need to return to his building, clock out there, and then proceed to clock out the gate.
Pathing is most useful in the case where you have a mix of Access Control (only) clocks, and Access
Control/Payroll clocks. It ensures that the user has clocked out correctly at the Payroll clock before
leaving the site via an Access clock.
Each reader on the clock needs to have the IN area and OUT area for the reader set.
If the Reader is set as an IN reader, then the employee is always moving from OUT to IN when using the
reader. The rules for this reader therefore only apply when he is coming IN.
CS TimeClock Access Control Specification
8
If the Reader is set as an OUT reader, then the employee is always moving from IN to OUT when using
the reader. The rules for this reader therefore only apply when he is going OUT.
If the Reader is set as a TOGGLE reader, then the rules apply the same in both directions.
TIP: Although pathing works with a single reader, humans make mistakes, and will forget to
clock from time to time. To minimize the problems caused by missed clockings, we strongly
recommend the use of two readers per clock (ie a distinct IN and OUT reader) where pathing is
activated.
To activate Pathing for the reader, set the Area Restriction (CA) for the reader to 2.
The error displayed on the clock when the employee is not in the right area is Not in FROM area. A
clocking, type 50, will be created to log the attempt.
Programmers Note:
Tables:
Daughter:
ca1, ca2, ca3, caf1 is set to 2 for Pathing to be on.
in1, in2, in3, inf1 is the IN Area id for each reader on the clock.
out1, out2, out3, outf1 is the OUT Area id for each reader on the clock.
Area:
The Area table (id and description) should be populated with descriptions for
each area ID used in the daughter table.
OtherDev:
If multiple clocks are used, then make sure the OtherDev table is populated
with the serial number, and IP address of the remote clocks.
8. Payroll Requirements
If you have a mix of Payroll and Access Control clocks, then you can limit the use of a specific Access
Control clock, depending on the employee’s current Payroll status.
In other words you can require that an employee is clocked in before using an Access clock, or you can
require that the employee is clocked out before using an Access clock.
CS TimeClock Access Control Specification
9
Example:
Each work area has a payroll clock. When the employee leaves the work area they are required
to clock out. Access Control clocks at the main gate, and cafeteria will deny the employee access
(OUT, and IN respectively) if they have not clocked out at their workstation. While it is possible
to make the Cafeteria, and Gate clocks automatically clock the employee out, there may be
physical distances involved that make it preferable for the employee to clock out at their
workstation.
Remember this setting is set on a per-reader basis. If you apply this feature at the main gate, you would
want to prevent people leaving if they have not clocked out, but you would not necessarily want to
prevent them entering if they are already clocked in. Thus the settings for the readers on any one clock
may be different to each other.
Programmers Note:
Tables:
Daughter:
pa1, pa2, pa3, paf1 is set to 1 if the employee must be IN, or to 2 if the
employee must be out.
in1, in2, in3, inf1 is the IN Area id for each reader on the clock.
out1, out2, out3, outf1 is the OUT Area id for each reader on the clock.
Area:
The Area table (id and description) should be populated with descriptions for
each area ID used in the daughter table.
9. Access Rights
To activate Access Rights for the clock;
1. Optionally set the Default No Access setting to 1.
2. Optionally add specific employee/clock/access combinations.
ERROR TEXT = “Clock Not Authorized”
CS TimeClock Access Control Specification
10
Access Rights determine if an employee is able to make use of a specific clock. Note that access rights
are set at the clock level (parent or child), not the reader level.
If no specific setting is entered for a specific employee/clock combination then the default setting for
this employee is used. If there is no default employee setting then the default setting for the clock is
used.
The error that will appear on the clock if the employee does not have access to this clock is Clock Not
Authorized. A clocking, type 54, will be created to log the attempt.
Programmers Note:
Tables:
Timezone
Contains the id, description, and times for a specific time zone set.
Empaccess
Links an employee, clock, and access right. The default setting for an employee
has serial set to zero. If no records for a specific employee/clock exist then the
employee default will apply. If no records for the employee exist, then the
clock default will apply. Multiple records for an employee/clock combination
are allowed.
Tip: If multiple records exist for the employee/clock combination,
because multiple time zones are in effect, then they should all have
their Access field set to the same value (either 1 for access, or 0 for no
access)
10.Time Zones
To activate Time Zones for the reader;
1. Create one or more Time Zone sets.
2. Set the Default Time Zone for the clock.
3. Optionally add specific employee/clock/timezone combinations.
4. Optionally set the Override Time Zone for the clock.
5. Optionally set the Time Zone On In Only setting.
CS TimeClock Access Control Specification
11
ERROR TEXT = “Out Of Time Zone”
Time Zones allow you to limit the times when people can use the clock. For example you may decide
that a clock used to access the cafeteria can only be used between 10am and 4pm. A remote depot may
only be accessible during weekdays, from 6am to 6pm, and so on.
Note that time zones are set at the clock level, not the reader level.
On Each clock you can set Time zones can be enabled for IN and OUT clockings, or just for IN clockings.
A collection of time zones together is known as a Time Zone Set. For example, in a restaurant you may
want to limit access to the morning (10am to 1pm) for cleanup and prop work, followed by a no-clock
period followed by the times for evening service (say 6pm to 11pm). These two time zones together
would form a time zone set.
Each clock can be assigned a default time zone set. Employees without a specific time zone set for this
clock will use this default.
Employees can be assigned a time zone set for a particular clock. If assigned to an employee this setting
will override the default time zone set completely. Ie they are exclusive in nature not inclusive.
An override time zone set can be set for a clock. This overrides any time zone set that may have been
assigned to individual employees.
You can create any number of time zones for a clock. Each time zone consists of an id number, a
description, and start & end times for each day of the week. The end time can be smaller than the start
time (ie implying that the time zone stretches across midnight.)
To disable time zones completely on a clock set the overridetimezone to -1.
The error that will appear on the clock display, if the employee is outside his time zone, is Out of Time
Zone. A clocking, type 51, will be created to log the attempt.
Programmers Note:
Tables:
Timezoneset
Contains the id, description for a specific time zone set.
Timezone
Contains the times when clocking is allowed. Also contains a link to the
CS TimeClock Access Control Specification
12
Timezoneset table.
Daughter
Has settings for defaulttimezone, overridetimezone and timezoneoninonly.
Empaccess
Links an employee, clock, and timezone set. The default setting for an
employee has serial set to zero. If no records for a specific employee/clock
exist then the employee default will apply. If no records for the employee
exist, then the clock default will apply. Multiple records for an employee/clock
combination are allowed.
Tip: If multiple records exist for the employee/clock combination,
because multiple time zones are in effect, then they should all have
their Access field set to the same value (either 1 for access, or 0 for no
access)
11. Locked Mode
To activate Locked mode for a clock;
1. Turn on the global setting called Locked
There are times when the clock needs to be “off” with regard to people clocking. During these times
employees cannot clock IN, and the clock will not trigger any of the doors or turnstiles to open.
(Employees can clock OUT, and the doors will work for people clocking OUT.)
This mode is useful if the office is closed (for example for the annual holidays).
Administrators (not Supervisors) can Lock and Unlock the clock using the Administrator menu (#9).
The error that will appear on the clock display, if the clock is locked, and the employee is attempting to
clock in is Clock Locked. A clocking, type 53, will be created to log the attempt.
Programmers Note:
Tables:
Daughter
CS TimeClock Access Control Specification
13
Has setting called locked.
12. Errors
If an employee attempts to clock, but fails because of one of the restrictions above, then one of the
following errors will be displayed on the screen.
Error For more information see section
Already in TO area Anti-passback
Not in FROM area Pathing
Clock Not Authorized Access Rights
Out of Time Zone Time Zones
Clock Locked Locked Mode
13. Adding a reader to a clock
When adding a reader to a clock you need to set the following settings for the reader in the daughter
table;
Setting Possible Values
TD 0=Leave employee’s payroll status unchanged.
1= Set employee’s payroll status to IN.
2= Set employee’s payroll status to OUT.
3=Toggle employee’s payroll status.
AE: 0=Leave employee’s area status unchanged.
1=Employee is moving to area set in IN setting.
2=Employee is moving to area set in OUT setting.
3=Employee is moving to area which he is not currently in (or if neither, then
CS TimeClock Access Control Specification
14
the area is set in IN).
4=Employee is moving to area specified in IN or OUT, depending on TD rule.
IN The area number designating the IN area.
OUT The area number designating the OUT area.
CA 0=No area restrictions
1=Employee cannot already be there. ie if going IN then cannot already be in
the IN area, if going out then cannot already be in the OUT area. (Anti-
passback)
2=Employee must already be here. Ie If going IN then their current area must
be the OUT area, if they’re going OUT then their current area must be the IN
area. (Pathing)
PA 0=No Restrictions
1=The employee’s payroll status must already be IN.
2=The employee’s payroll status must already be OUT.
DA 0=Do not display the area name of the area the employee is moving into.
1= On the screen, display the name of the area the employee is moving into.
INRB Set this to an appropriate number to trigger the relays that must pulse when
the employee successfully uses this reader, and their PAYROLL status is
changing to IN. (See the relay settings table below.)
OUTRB Set this to an appropriate number to trigger the relays that must pulse when
the employee successfully uses this reader, and their PAYROLL status is
changing to IN. (See the relay settings table below.)
INARB Set this to an appropriate number to trigger the relays that must pulse when
the employee successfully uses this reader, and their ACCESS status is
changing to the area designated in IN. This setting has preference over the
INRB and OURB settings. (See the relay settings table below.)
OUTARB Set this to an appropriate number to trigger the relays that must pulse when
the employee successfully uses this reader, and their ACCESS status is
changing to the area designated in OUT. This setting has preference over the
CS TimeClock Access Control Specification
15
INRB and OURB settings. (See the relay settings table below.)
14. Relay Settings Table
There are up to 3 relays in a CS TimeClock. There is also an internal buzzer which triggered as a relay.
Each relay has a value:
Relay Name Value
Relay 1 1
Relay 2 2
Relay3 4
Buzzer 128
The appropriate relay setting is determined by adding the values together of the relays that are desired.
Example;
1. Trigger Relay 1 by itself. Appropriate setting = 1.
2. Trigger Relay 1, and Relay 2 together. Appropriate setting = 1+2=3.
3. Trigger Relay 2, and Relay 3 together. Appropriate setting = 2+4=6.
4. Trigger Relay 3 and the Buzzer together. Appropriate setting = 4+128=132.
5. Trigger all Relays, and Buzzer. Appropriate setting =1+2+4+128=135.
15. Tables
Tables in the database used wholly or partly by the Access Control features are;
Table Description
Area Contains the id, and description of all the areas defined by the user.
Area 0 (Outside) and Area 1 (Inside) are created by default.
Daughter Settings for each clock, and for each reader are contained in this table.
CS TimeClock Access Control Specification
16
Empaccess Contains 0, 1 or more records for each employee, for each clock. Determines
whether an employee can use a clock, and during what times the clock can
be used.
TimeZoneSet Contains an ID. This ID is the one assigned to employees and clocks.
Employees allocated to this time zone set, can use the clock(s) only during
the periods of the day defined in the TimeZone records that belong to this
set.
TimeZone Can be one or more records per TimeZoneSet. Contains a start and end time
for each day of the week.
Document version history
Version 1.2. 1. Minor correction: Time zones can be disabled by setting the overridetimezone field in the
daughter table to -1.